akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

Fix duplicate ACME entries for subdomains covered by wildcard ACME host

Browse Source 
The previous fix (92fa1cb) only collapsed subdomains when an explicit
managed/imported certificate had a wildcard. When all hosts use Caddy
Auto (no certificate assigned), the wildcard ACME host was not checked
against sibling subdomain hosts, so each showed as a separate entry.

Also adds a startup migration to rename the stored IONOS DNS credential
key from api_token to auth_api_token for users who configured IONOS
before ef62ef2.

Closes #110

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
fuomag9
2026-04-20 18:04:38 +02:00
parent 96bac86934
commit 6515da666f
3 changed files with 108 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
app/(dashboard)/certificates/page.tsx
View File

@@ -180,6 +180,28 @@ export default async function CertificatesPage({ searchParams }: PageProps) {
}
}
// Among ACME auto-managed hosts, collapse subdomain hosts under wildcard hosts.
// e.g. if *.domain.de is an ACME host, sub.domain.de should not appear separately.
const wildcardAcmeHosts = filteredAcmeHosts.filter(h => h.domains.some(d => d.startsWith('*.')));
const wildcardDomainSets = wildcardAcmeHosts.map(h => h.domains);
const deduplicatedAcmeHosts: AcmeHost[] = [];
for (const host of filteredAcmeHosts) {
// Never collapse a host that itself has a wildcard domain
if (host.domains.some(d => d.startsWith('*.'))) {
deduplicatedAcmeHosts.push(host);
continue;
}
// Check if all of this host's domains are covered by any wildcard ACME host
const coveredByWildcard = wildcardDomainSets.some(wcDomains =>
host.domains.every(d => isDomainCoveredByCert(d, wcDomains))
);
if (coveredByWildcard) {
adjustedAcmeTotal--;
} else {
deduplicatedAcmeHosts.push(host);
}
}
const importedCerts: ImportedCertView[] = [];
const managedCerts: ManagedCertView[] = [];
const issuedByCa = issuedClientCerts.reduce<Map<number, IssuedClientCertificate[]>>((map, cert) => {
@@ -214,7 +236,7 @@ export default async function CertificatesPage({ searchParams }: PageProps) {
return (
<CertificatesClient
acmeHosts={filteredAcmeHosts}
acmeHosts={deduplicatedAcmeHosts}
importedCerts={importedCerts}
managedCerts={managedCerts}
caCertificates={caCertificateViews}

38
src/lib/db.ts
View File

@@ -301,10 +301,48 @@ function runCloudflareToProviderMigration() {
db.insert(settingsTable).values({ key: "dns_provider_migrated", value: "true", updatedAt: now }).run();
}
/**
* One-time migration: rename IONOS DNS credential key from the old
* `api_token` to the correct `auth_api_token` expected by the libdns module.
* Idempotent — skips if the key has already been renamed or never existed.
*/
function runIonosFieldNameMigration() {
if (sqlitePath === ":memory:") return;
const { settings: settingsTable } = schema;
const flag = db.select().from(settingsTable).where(eq(settingsTable.key, "ionos_field_migrated")).get();
if (flag) return;
const row = db.select().from(settingsTable).where(eq(settingsTable.key, "dns_provider")).get();
if (row) {
try {
const parsed = JSON.parse(row.value) as { providers?: Record<string, Record<string, string>>; default?: string };
const ionos = parsed.providers?.ionos;
if (ionos && "api_token" in ionos && !("auth_api_token" in ionos)) {
ionos.auth_api_token = ionos.api_token;
delete ionos.api_token;
const now = new Date().toISOString();
db.update(settingsTable)
.set({ value: JSON.stringify(parsed), updatedAt: now })
.where(eq(settingsTable.key, "dns_provider"))
.run();
console.log("Migrated IONOS DNS provider field: api_token -> auth_api_token");
}
} catch (e) {
console.warn("Failed to migrate IONOS field name:", e);
}
}
const now = new Date().toISOString();
db.insert(settingsTable).values({ key: "ionos_field_migrated", value: "true", updatedAt: now }).run();
}
try {
runBetterAuthDataMigration();
runEnvProviderSync();
runCloudflareToProviderMigration();
runIonosFieldNameMigration();
} catch (error) {
console.warn("Better Auth data migration warning:", error);
}

47
tests/e2e/certificates.spec.ts
View File

@@ -69,4 +69,51 @@ test.describe('Certificates', () => {
await page.request.delete(`${API}/certificates/${cert.id}`, { headers });
}
});
test('ACME wildcard host hides subdomain ACME hosts in certificates page', async ({ page }) => {
const BASE_URL = 'http://localhost:3000';
const API = `${BASE_URL}/api/v1`;
const headers = { 'Content-Type': 'application/json', 'Origin': BASE_URL };
const domain = `acme-wc-${Date.now()}.example`;
// 1. Create a proxy host with wildcard domain (no certificate → ACME auto)
const wcHostRes = await page.request.post(`${API}/proxy-hosts`, {
data: {
name: `Wildcard ${domain}`,
domains: [`*.${domain}`],
upstreams: ['127.0.0.1:8080'],
},
headers,
});
expect(wcHostRes.status()).toBe(201);
const wcHost = await wcHostRes.json();
// 2. Create a proxy host for a subdomain (also no certificate → ACME auto)
const subHostRes = await page.request.post(`${API}/proxy-hosts`, {
data: {
name: `Sub ${domain}`,
domains: [`sub.${domain}`],
upstreams: ['127.0.0.1:8080'],
},
headers,
});
expect(subHostRes.status()).toBe(201);
const subHost = await subHostRes.json();
try {
// 3. Visit certificates page — subdomain should be collapsed under the wildcard
await page.goto('/certificates');
await expect(page.getByRole('tab', { name: /acme/i })).toBeVisible();
await page.getByRole('tab', { name: /acme/i }).click();
const acmeTab = page.locator('[role="tabpanel"]');
// The wildcard host should be visible
await expect(acmeTab.getByText(`*.${domain}`)).toBeVisible({ timeout: 5_000 });
// The subdomain host should NOT appear as a separate entry
await expect(acmeTab.getByText(`sub.${domain}`)).not.toBeVisible({ timeout: 5_000 });
} finally {
await page.request.delete(`${API}/proxy-hosts/${subHost.id}`, { headers });
await page.request.delete(`${API}/proxy-hosts/${wcHost.id}`, { headers });
}
});
});